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Abstract 

It is repeatedly and persistently claimed in the literature that a specific trace criterion d would 
guarantee universal composition security in quantum cryptography. Currently that is the sole 
basis of unconditional security claim in quantum key distribution. In this paper, it is shown that 
just security against known-plaintext attacks when the generated key is used in direct encryption 
is not provided by d. The problem is directly connected with several general problems in the 
existing unconditional security proofs in quantum key distribution. A number of issues will be 
clarified concerning the nature of true security, privacy amplification, key generation rate and the 
mathematical approach needed for their determination in concrete protocols. 
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I. INTRODUCTION AND SUMMARY 



In quantum key distribution (QKD) there have been many security proofs offered on the 
"unconditional security" of various protocols of the BB84 variety. (For a recent review see ref 
[1].) Until 2004-2005 and in many papers till the present day, the security criterion adopted 
is the attacker Eve's quantum accessible information (lac) on the generated key K, which is 
the maximum mutual information Eve has on K from a measurement result on her probe she 
may set during the key generation process. Security of K before it is actually used is called 
"raw security" [2], to distinguish it with composition security when K is actually used in an 
application for which Eve may possess additional information related to K. In particular, 
when K is used for encryption, part of K may be known to Eve in a known-plaintext attack 
(KPA) to help her get at the rest of K. KPA takes a particularly simple form when K is 
used in the often suggested one-time pad format. 

While "universal" composition security is a complicated matter which is perhaps not 
needed in its full generahty, KPA security is necessary because that is one main weakness of 
conventional symmetric key ciphers QKD purports to overcome. Indeed, there is otherwise 
no need for QKD since its raw security is worse than that of conventional ciphers in which 
the key is also typically totally hidden by uniformly random data [2]. In this paper all 
security under discussion is information-theoretic (IT), and symmetric key cipher is the 
proper comparison with QKD, not purely complexity-based cipher such as RSA. This is 
because a shared message authentication key is necessary in QKD during key generation, 
and in any case a short shared secret key can always be employed. 

It was claimed in [3] that an exponentially small lac (for ^-n n-hit key K) would guarantee 
universal composition security and that is applicable to most previous security proofs. The 
claim was established through an inequality between lac and a trace distance criterion that 
has been given by the notation "d" in many papers since [4], an abbreviation we adopt in 
this paper. This d is supposed to give the trace distance between the states of an "ideal" 
protocol and the "real" protocol under Eve's attack. It was shown in [4] through an exphcit 
construction involving quantum information locking that exponentially small lac does not 
imply KPA security, specifically the last bit of K may be leaked deterministically when n—1 
bits of K are known to Eve from a KPA. This small leak has been enlarged to a "spectacular 
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failure" of the lac guarantee, under which it is possible that "leakage of even a logarithmic 
number of key bits compromises the secrecy of all the others". [5] 

The remedy, according to [4-7], is to use the criterion d directly. Indeed, d is the only basis 
of QKD unconditional security claim at present including any use of privacy amplification 
[1, footnote 20], [6-7]. There are three different "interpretations" on what d < e asserts, 
each of which is claimed to imply universal composition security. We would concentrate on 
KPA security in this paper, which is much simpler and can be treated directly. The three 
interpretations are: 

(i) "The real and the ideal setting can be considered to be identical with probabihty at 
least 1 -e". [6] 

(ii) The parameter e can be understood as the "maximum failure probability" of the real 
protocol, i.e., the maximum probability that the real protocol "deviates from the be- 
havior of the ideal protocol". [8] 

(iii) "Distinguishabihty advantage" between the real and the ideal protocols is bounded by 
6. [3] 

In this paper all three interpretations will be analyzed, only briefly on (i) because [2] 
already shows that (i) cannot be true. With (ii) interpreted with respect to a specific 
scenario so that it is different from the more general (i), it is refuted by a specific KPA 
counter-example. In fact, ri could be interpreted as the difi^crcncc between two probabilities 
but it does not have a probability interpretation itself. We will explain why (iii) does not 
lead to KPA security in general. A different criterion d' is needed for such interpretation. 

In sum, there is no QKD unconditional security proof at all against attacks with quantum 
memory. The ramification of this security failure will be elaborated. The actual QKD 
security situation will be discussed in regard to the secure key generation rate, privacy 
amplification, and the necessity of using M-ary quantum detection theory in quantifying 
fundamental security performance unless d' is bound. 
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II. CLASSICAL VARIATIONAL DISTANCE AND QUANTUM TRACE 
DISTANCE 



The classical variational distance v{P, Q) between two probability distributions P — {pi} 
and Q — {qi} on the same sample space is given by [9] 

i 

with < f < 1. The quarantee ^; < £ is equivalent to, for any event E, the probabihties of 
£ from P and Q satisfy 



p{S)-q{£)\<2e (2) 



Indeed we have [9, p. 299] 



2v(P, Q) = max | p{8) - q{£) \ (3) 



An important case for our purpose is when Q equals the uniform distribution U, Ui — 1/N 
for sample space of size = 21^' while Eve has distribution P for K. Then (2) shows 

for any subset K of K. Thus, (4) shows that any m-bit subsequence K oi K also has a 
probability different from that of a uniform distribution by at most 2£. In particular, if e < 
2"", it shows P and U are not much different quantitatively at all. However, when ^ 1, 
P may be very different from U in regards to the possible p{S) even when e is exponentially 
small, say e — 2~"/^. Whether something is small in a cryptographic context has to be 
judged with respect to the key length or data length with exponentiation if appropriate. 

The quantum trace distance between two density operators p and a on the same state 
space is 

D{p,cr) = ^\\ p-a\\i (5) 

with < D < 1. It can be readily shown that D{p, a) < e imphes v{P,Q) < e for any 
quantum measurement which gives P and Q from p and a [10]. By using the basis that 



diagonalizes p — (J, D{p,a) itself can be achieved by a measurement in the form v{P,Q). 
Thus, we have the equivalence of variational distance with trace distance as a criterion. 

It is important to stress that D[p,a) < e does not imply that p and a are close, similar 
to f (P, Q) < e does not imply P and Q are close, unless e is small enough. Incorrect 
understanding of the security situation would result if the quantitative level of e relative to 
2~" is not attended to for an n-bit or n-qubit sequence. This is due to the large freedom of 
P, in particular pi, that is possible under such a constraint for fixed a or Q. This has been 
emphasized in [2,11-13]. 

III. PROBLEM FORMULATION AND RAW SECURITY GUARANTEE 

During the key generation process, Eve sets her probe and the protocol goes ahead after 
intrusion level estimation. We assume that everything goes well on the user's end. At 
whatever time when Eve measures on her probe, she would obtain a whole probability 
distribution on correctly estimating the different possible values of K [13]. Classically the 
quantitative raw security problem can be formulated as follows. We will use upper case 
letter for a random variable (vector) with its specific value denoted by the corresponding 
lower case letter. 

Let X be an m-bit data sequence random variable picked by user A and Y Eve's obser- 
vation random variable of any possible length and alphabet size. The transition probability 
p{y\x) and a priori distribution p{x) are fixed by the cryptosystem and chosen attack. The 
user B observes the random variable Z specified by the cryptosystem, applies an openly 
known known error-correcting code (ECC) to get a data estimate X{Z) which is presum- 
ably error free, and then an openly known privacy amplification code (PAC) to yield a final 
generated key K. The ECC and PAC can be combined to yield directly K[Z). From Y Eve 
forms her estimate K{Y). The timing of Eve's knowledge of various openly known codes is 
implicit in the possible p{y\x) she could obtain. 

With Bayes rule and the known ECC+PAC, Eve forms from y the conditional probabihty 
distribution (CPD) on K, p{k\y), which gives Eve's success probability of getting the entire 
k for each possible value of K. We will use P = {pi}, i G {!,..., N}^ for this CPD, suppress- 
ing the dependence on y. Any single-number criterion on K, be it mutual information or 
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variational distance, merely expresses a constraint on P. The Markov Inequality [9] can be 
used to convert an average constraint to an individual one for a nonnegative random variable, 
here it is p{k\Y) for each k and random Y . We order pi so that Pi > P2 > • • • > Pn- Thus, 
Pi is Eve's optimal probability of estimating K correctly given y. It is a most significant 
number concerning the security of as we will see. 

With I{K] Y) denoting the mutual information between any two random variables K and 
y, we use the following notations 

5e = v{P,U), Ie = I{P;U) (6) 

For simplicity, we take the data X to be uniformly distributed and the same for K obtained 
fom it via ECC+PAC, the ideal situation. Thus Se and Ie in (6) are indeed single-number 
measures of Eve's "information" on K. 

Note that it is not sufficient to employ a criterion that would give perfect IT security when 
it has its limiting value, say 6e = or Ie = 0, but using it for a relatively large nonzero value. 
The issue is a quantitative one and whether the security guarantee is adequate depends on 
the exact value that can be obtained in a concrete protocol, as we will see. 

We have shown in [11-13] that for Ie — 2~'', I' > 0, Eve's maximum probability of getting 
the whole K can be as big as 

/ = /'+logn (7) 

Unless I ~ n, the raw security guarantee of Ie < 2~'' is very far from that of a uniform key. 
The subsets of K suffer similarly [13]. When l' approaches n — logn, more exact estimate of 
Pi [16] needs to be used in heu of 2"' since I cannot exceed n. The practical experimental 
value of /' ~ 21 for n ~ 4000 [14, 15] is quite an inadequate guarantee, especially after the 
application of Markov Inequality [2,13]. Generally, "exponentially small in n" can be very 
misleading because the rate A in Z = An is the real crux of the security situation. We will 
see this repeatedly in the following. 

The Se guarantee suffers a similar problem [2,13] because for Se < 2~', the averaged (over 
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Y) can be as big as 



= 2"' - ^ with 5e = 2-' (8) 

Thus, unless Z ~ n as indicated after (4) above, a < e raw security guaranree is not really 
better than that of < e. 



IV. INCORRECTNESS OF INTERPRETATIONS (i) AND (ii) 

Let be Eve's probe state when K has value k with probability poik) before B measures, 
Po{k) = U in the ideal case. The possible p% are limited by the users' intrusion level 
estimation. Let 

PK = J2po{k)\k){k\ (9) 

k 

be the po{k)-mixed state on N orthonormal | A;)'s. Let pe be the /T-averaged state, and pke 
the joint state 



PE = J2Poik)PE (10) 

k 

PKE = J2po{k)\k){k\^p'k (11) 

k 

The criterion d is defined to be, 

d=^\\ Pke- Pk<S> Pe\\i (12) 

A key satisfying d < £ is called "e-secure" by defintion [6] in the case po{k) = U. 

The "lemma 1" of [6] and [16] was given the following interpretation on v{P,Q) < e: the 
two random variables K and Y described by P and Q take on the same value with probability 
> 1 — e. (The lemma says there exists a joint distribution of K and Y which gives this result. 
That joint distribution is in fact the optimal one for this interpretation.) Given this incorrect 
interpretation as premise, it can be vahdly deduced [6, p.414],[2] that under d < e, "the real 
and the ideal setting can be considered to be identical with probability at least 1 — s". As 
discussed in [2,13,17], this interpretation of d is not a consequence of "lemma 1" in [6] or 

7 



[16] but an incorrect interpretation of that lemma 1. We may note here that there is no 
physically meaningful joint distribution that gives P and Q as marginals other than the 
product distribution PQ which applies in this situation. Thus, the two random variables K 
and Y would take the same value only as a result of random collision with probability 
N the size of the sample space, even when P and Q are the same distribution. As concluded 
in [2], interpretation (i) is simply false and not just unproven. 

Going onto interpretation (ii), observe that its wording in [8] is very ambiguous. It can 
mean either interpretation (i), or (iii) with e as the probability difference between the real 
and the ideal cases. We would give this "failure probability" a distinct literal interpretation 
from the words of [8], since it is the sole basis of the QKD unconditional security claim in 
the recent review [1]. In lieu of random variable identity or coincidence of (i), we restrict (ii) 
to apply just to specific KPA scenarios in which performance can be readily quantified. The 
following simple counter-example shows such interpretation (ii) cannot be expected to hold, 
not just unproven. 

Consider the following simplest information locking example, for a two-bit K with p% — 
pki ^ fQj, ^j^g ki and /c2. Let i e 1 — 4, be the four BB84 states on a qubit, 

with (1|3) = (2|4) = 0. Let Pj be the projectors into and 

=^(Pl®Pl + P3®P2) 

= ^(Pl®P3 + P3®P4) 

2 (13) 

Pe = 1^{^2®^1 + ^A®^2) 
P°S° = ^(P4®P3 + P4®P4) 

Thus, k2 is locked into the second qubit through ki, and is unlocked by measuring on the 
1-3 or 2-4 basis given the knowledge of ki. This p% does not yield a pe — //4, but since d 
is equal to [6, lemma 2] 

d ^ Iek[\\ p'^ - PE hi (14) 

let us evaluate "ideal" comparison || p^—I/A \\i which is easily computed to be 1/2. However, 
knowing ki implies /c2 is compromised for sure, not with a maximum failure probability 1/2, 
contradicting the interpretation (ii) in this specific situation. (Note that the d < e guarantee 
is supposed to apply to any p'^ in (12)). 
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Indeed, any locking information scenario provides a counter-example to (ii) similar to 
the example of (13). Let lac — 2~'' and with a p% that leaks the rest of K from its I bits 
according to (7). The corresponding d must be less than 1 since D{p, cr) = 1 if and only if p 
and a have orthogonal ranges. 

It docs not appear there is any probability meaning one can sensibly give to £ in d < e, 
which is just a numerical measure of the difference between two density operators similar to e 
between P and Q in v{P, Q) < e. There is simply no basis to assign probabihty distribution to 
the security situation after all the parameters are fixed, i.e., there is no more random system 
parameter that could give rise to such probability distribution. The incorrect probability 
interpretation of e in v{P,Q) < e is responsible for the incorrectness of interpretation (i). 
Here we see that any probability interpretation of e itself, whatever the "failure probability" 
may be, would fail similarly. 

V. SECURITY FAILURE UNDER INTERPRETATION (iii) 

Going on to interpretation (iii), note the huge difference between it and the other two 
interpretations. According to (i) and (ii), = 1/2 in the example of (13) is the probability 
Eve can succeed, which is not true. According to interpretation (iii). Eve may succeed at 
1/2 + d = 1, which is true (we actually use d' to get the ideal situation.) 

It may be observed that e in D{p, a) < e is not the success probability of distinguishing 
p from (7 by a measurement. That is given by the well known [18] probability Pc of correct 
decision, 

P, = ^ + ^D{p,a) (15) 

Note that Eve is not usually trying to make a binary decision with her attack. A major source 
of confusion may have arisen from calling p and a "e-indistinguishable" when D{p,a) < e, 
as if p and a can only be distinguished with probability ~ £. Actually just (15), or (2) for 
any measurement, is the mathematical statement of "e-indistinguishable". Any other claimed 
consequence needs to be mathematically expressed and derived from this mathematical given. 
Such development has not been provided for universal composition security (which is different 
from "composability" of the criterion), not just for KPA. Before going into the KPA issue we 
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will show that (iii) is not generally true even for raw security, because the "ideal" situation 
is not captured by pu ® Pe, as follows. 

Consider a term || — Pe ||i in (14) apart from averaging over K. It implies 

v{p{y\k),p{y))<2e (16) 

for Eve's observation Y on her probe. This v does not compare the real situation to the 
ideal one unless p{y) = U{y). Generally, this means pe should be a completely random state 
proportional to the identity operator / for finite-dimensional state spaces. However, there 
is no reason to expect that to be the case. Indeed, there is no way the users can guarantee 
that since pe depends on Eve's chosen attack in contrast to a classical scenario with a single 
complete Y. Thus pe cannot be oc / for all attacks and probe measurements, and there is 
no justification to consider pu <S) Pe ^ general representation of the "ideal" situation when it 
is inside a trace, although it does as a whole state (or probability distribution) since Pe is 
independent of k. This is why interpretation (i) docs lead to universal composition as well as 
perfect raw security with a high probability, and why (i) or (ii) is crucial for an unconditional 
security claim. 

Notice that under (iii), e is merely a single- number quantitative measure of difference, 
and thus has much weaker meaning than the equality of whole state or distribution. Indeed, 
it is clear that the level of e becomes crucial, as we saw in section II, even if it is measured 
with respect to the "ideal". 

The following different criteria d' should be used for interpretation (iii), 

d'^\EK[\\p'E-^\\i], (17) 

where N' is the dimension of the range of p^. Note that there is representation problem 
with infinite-dimensional qumodes. 

The distributions that lead to (7) appear to be of the form suitable for information locking 
with small Ie- Indeed, in [5] there is an /' factor in addition to O(logn) in the expression 
for the number of unlocking bits in the key segment, exactly as in (7). In any case, complete 
raw and composition security would obtain if the required number of bits to increase pi to 
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1 goes up to n. For lac < 2 ' , this would happen at 

i >n — logn (18) 
For the case d! < 2~' or (5b < 2~', it would happen at 

/ > n (19) 

It may be observed that KPA may significantly lower p{K), Eve's success probability 
of getting any K C. K, to an unacceptable level without deterministically compromising 
the whole K. Partial information locking of K must, therefore, be dealt with also in a 
fundamental security analysis. The KPA case alone already shows that there is no universal 
composition security guarantee from rf, at least when it is below a certain quantitative level. 
This is in fact a problem of any single-number criterion, but we will not go into the general 
issue in this paper. 

When I bits unlocks the other n — I bits of K, the information locking p% that shows 
interpretation (i) and (ii) are false does not show (iii) is false if d! is used in place of d and 
d' > 1 — l/2"~'. In the following section we give a specific though unrealistic scenario in 
which interpretaion (iii) would fail for d. 

VI. RELATION BETWEEN HOLEVO QUANTITY x AND THE CRITERION d 

The classical form of o?, say as obtained from a measurement, is 

5 ^\v{p{y\k)p^{k);p{y)po{k)) (20) 

The following simple relation between the above 5 and the classical mutual information 
I{K] Y) is an immediate consequence of the well known [9, p. 300] relation between relative 
entropy and variational distance by considering p(y, k) relative to p{y)po{k). We have 

Lemma 1: 

The 5 of (16) is upper bounded by I{K; Y) in the form 



25^ < I{K;Y) 
11 



(21) 



Prom (21), one obtains the weak bound, 
Lemma 2: 

The criterion d is upper bounded by the quantum accessible information lac that Eve can 
get from her probe 

< 2l^l7„, (22) 

Proof: 

From (14) each term, || p'^ — pe ||i , is bounded by a measurement result Y^^^ satisfying 
(21). Thus, 

d<EK[-^ ^ '-\-^ (23) 

By Jensen's Inequality, 

d<[EK^ ^ '-Y^ (24) 

which is bounded as (22) by adding many nonnegative terms for each Y^^'> inside the [.]^/^ 

of (24) to get E/c Y) = 2\^\l{K; Y) . 

It is on the basis of equ(16) in [3], which is equivalent to (22), that the incorrect conclusion 
is drawn in [3] that exponentially small lac would guarantee composition security in previous 
security proofs. Our (18) or (22) shows that the exponent needs to be nearly all of n for 
such conclusion to hold. In the case of [14] with n ~ 4000, this means the exponent needs 
to be as big as l' ~ 3880. 

The proper quantum generalization of Lemma 1 is not Lemma 2 but the following 
Lemma 3: 

The Holevo quantity [10], 

X = S{pe) - EKiSip^k)] (25) 

bounds d in the form, 

2d^ < X (26) 
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Proof: 



Similar to the classical (21), (26) follows from theorem 5.5 of [19] with the quantum 
relative entropy S{p \\ a) for p = p% and a = px ® Pe- 

Since the security criterion is supposed to work for each and every consider the one 
that leads to x insecurity. Let x — 2"^'^, m > 0. Thus from (26), d < 2~"^ but it is 
insecure. However, since lac < X) lac insecurity does not imply a x insecurity. Although 
lac/'Tt- — xl'^ asymptotically [20,21], the total lac and x are not necessarily close for large n. 
One scenario that is the case is when blocks of such n bits are repeated n! times themselves 
for large n', which is however not realistically applicable to concrete protocols. 

The next theorem shows that x and d have similar exponential behavior, and thus are 
actually similar security criteria. 
Theorem 1: 

Let /i(-) be the binary entropy function. Then 



Proof: 

The lower bound is Lemma 3. The upper bound is an immediate consequence of the theorem 
in [22], again using 5'(p||(7) for p — p^^ and a — px <S> Pe- 

With d — 2~' and x = 2~' , the exponents when non-negative are related from (27) for 
n>l as follows. 



Basically (27)- (28) shows that the exponents of d and x for almost any n are within a factor 
of two. 

VII. IT SEMANTIC SECURITY AND PRIVACY AMPLIFICATION 

What kind of raw security guarantee on K one should have that is comparable to that 
of a uniform key? One can introduce the notion of information theoretic semantic security 
directly as 



< X < ^dn + 2h{2d) 



(27) 



/-logn-4</ <2l 



(28) 



\p{K) 



1 



<e{K) 



(29) 



21^1 
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where K is any subset of K and e{K) is allowed to vary depending on K in contrast to 
(4). Such "semantic security" in complexity-based cryptography has been developed exten- 
sively [23] and generalized in an IT context [24]. However, in the context of IT physical 
cryptography in noise we should dispense with any algorithm in the definition and consider 
the full correlated statistical behavior of the system model. Thus, (29) expresses the direct 
comparison with the ideal uniform key. In fact, as long as e{K) is small enough, such as 
e{K) — 2~'l^l, we would not need to require that it can be driven to zero. It would be quite 
adequate, e.g., if e is a constant = 2~" for an n-bit K as discussed in section II. 

In the case one can guarantee only e = 2""^ for m < n, it follows immediately that no IT 
semantically secure key (with arbitrarily small e) can be obtained by any further processing 
on K which is longer than m. This is an immediate consequence of the fact that pi cannot 
be improved by any known deterministic transformation on K. Indeed, the original pi 
that results from Eve's measurement Y before ECC+PAC also cannot be improved with 
such codes, i.e., not by the transformation from Y to her estimate of K{Y). Thus, the IT 
semantically secure key rate is reduced from the nominal one by a factor m/n. 

Let us consider the security of such an m-bit key Kr derived from the n-bit K. When 
it is obtained from a d! guarantee of (17), all the subset probabilities p{K) Eve may get 
by any measurement is properly bounded from (2). The users can guarantee < 2"*" 
for sufficiently large m under any p^^ Eve can launch that passes intrusion level estimation. 
However, in this case the resulting p{K) or p{£) bound for K would not be quantum me- 
chanically fundamental because Eve could attack a specific subset K ol K hy an optimal 
measurement directed toward that subset instead of the whole K. Thus she has a 2l^l-ary 
detection problem instead of a 2'^l-ary one. Specifically, consider K in two parts Ki,K2 
{K = K1K2). In a KPA knowing Ki = ki, the state to Eve is p^^^" and she has a 2l^2| 
-ary quantum detection problem instead of the orig inal 2l^l -ary one. Her optimum 2'^^! 
-ary quantum detection performance cannot in general be obtained from the 2l^l -ary perfor- 
mance and subsequent classical reduction to 2^^^^ -ary case. Quantum mechanically there is 
no complete measurement which covers all such possibilities while maintaining performance, 
but there is classically. 

The essential point is that quantum detection theory [18, 25] is the proper approach here 
for optimal performance analysis, not "information theory" in the narrow sense. Thus, the 
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raw security guarantee on p{K) we have discussed is also not ultimate either except for the 
total K itself. Note that the effect of PAC on fundamental quantitative security also needs 
to be ascertained by quantum detection theory. The alternative is to bound d'. 

While IT semantic security cannot be improved by any privacy amplification, let us con- 
sider the approach of leaving m in < e = much less than n, and keeping the original 
key generation rate. For example, with n ~ 1000 we assume m ~ 40 is sufficiently secure 
which gives pi ~ 2~^° before Markov Inequality is apphed and better than 10~^ afterward [2]. 
In this manner, the above limit on key generation rate may also be extended. An important 
question is whether one can use PAC to further improve such "relaxed security" without full 
IT semantic security. 

The answer is unknown. The standard reference [26] on general possibility of privacy 
amplification starts with a Renyi entropy constraint on Eve which is rarely used in security 
proofs. It is a good measure of "collision" but not "uncertainty". Eve's total Shannon entropy 
is always reduced by PAC, though her mutual information may decrease with respect to a 
shorter key. However, it is not known what PAC could reduce Eve's mutual information, 
total or per bit. It appears the answer depends strongly on her CPD on K. 

On the other hand, the criterion d has been used [6-7] for secure privacy amplification that 
makes d small, given prior lower bound on Eve's Shannon entropy or Renyi entropy. The 
failure of d for interpretations (i)-(iii) shows that such privacy amplification cannot gurantee 
security against KPA, and d' needs to be used instead. 

Indeed, let pi be given by (7) before or after PAC, say guaranteed by an /ac < e = 2~''. 
Then knowing m = V + log(n) bits of the n-bit K may unlock the rest if Eve knows m 
data bits when K is used in one-time pad encryption. With the above numerical example, 
that means it has not been ruled out that knowing 50 bits of data may lead to knowledge 
of the other unknown 950 bits. Thus, the relaxed security scenario would not provide a 
good enough security guarantee even if PAC is useful. Similarly, the situation is the same 
under the d < e guarantee. On the other hand, with full semantic security where only < m 
bits of K are generated, such problem would not occur, subject to the above qualification of 
Eve's optimal detection under the lac guarantee or assuming Pe produces U{y) upon Eve's 
measurement under the d guarantee. If one ignores the KPA problem for QKD, the question 
arises as to why not then just use conventional key expansion? The answer lies in the fact 
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that there is no IT security against KPA at all in conventional ciphers. So QKD is an 
improvement when Eve has no quantum memory [2]. In such application, one can of course 
no longer claim "unconditional security". 

VIII. PROBLEMS OF UNCONDITIONAL SECURITY PROOFS IN QKD 

The criterion d fails to provide KPA security and composition security in general. If 
lac ^ ^ — ox d! < e — 2~' for I > n, the KPA security problem does not arise under 
the quahfication described in the last section. In addition, as discussed in section III and 
reinforced by [27] , that is (exponentially) impossible to achieve with the usual key generation 
rate, and also cannot be achieved by privacy amplification. Furthermore, the key so generated 
in a concrete protocol is unlikely to be long enough to cover the message authentication key 
bits spent during key generation, such as in the case of [14]. See ref [2]. 

There is no "unconditional security" guarantee in QKD. Furthermore, we have now the 
following broader fundamental QKD security problems. 

(i) There is no proof of security against known-plaintext attacks when the generated 
key K is used in direct encryption and Eve possesses quantum memory, or in other 
composition security context. 

(ii) The fundamental raw security level of Eve's probability of correctly estimating any 
proper subset of K is not bounded under either an lac or d constraint. 

(iii) The true secure key rate is far smaller and is determined by quantitative error ex- 
ponents, the later rarely analyzed in security proofs and for which M-ary quantum 
detection theory would be needed. 

(iv) It is not clear what privacy amplification can achieve according to what security mea- 
sure. It surely cannot improve information theoretic semantic security. 

With such difficulties on the foundation of quantum key distribution, it appears radically 
new approaches are appropriate for fundamental security guarantee. 
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